Opened 7 years ago

Closed 6 years ago

#27863 closed New feature (fixed)

Implement "SameSite" flag for session and CSRF cookies

Reported by: Alex Gaynor Owned by: Paweł Krawczyk
Component: HTTP handling Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no


SameSite is a mechanism for telling browsers not to send a cookie on requests with a different origin. It's not yet widely supported to the point of being the only CSRF protection (, but at 50% global deployment, it'd be very useful for Defense in Depth.

I believe simply adding SameSite=lax to the session cookie is all that'd be required to get this protection, and I don't think there'd be any backwards compatibility concerns (<---- almost certainly not this simple).

Change History (7)

comment:1 by Alex Gaynor, 7 years ago

Note: this requires a change to the stdlib cookies module: I suspect with some hackery this can be worked around in Django though.

comment:2 by Paweł Krawczyk, 7 years ago

Owner: changed from nobody to Paweł Krawczyk
Status: newassigned

This can be implemented in HttpResponse.set_cookie() alone. I have just sent a pull-request on GitHub for that.

comment:4 by Paweł Krawczyk, 7 years ago

Version: 1.10master

comment:5 by Simon Charette, 7 years ago

Component: contrib.sessionsHTTP handling
Needs documentation: set
Needs tests: set
Patch needs improvement: set
Summary: Implement "SameSite" flag for session cookiesImplement "SameSite" flag for session and CSRF cookies

comment:6 by Tim Graham, 6 years ago

Needs documentation: unset
Needs tests: unset

New PR (still needs some work)

comment:7 by Tim Graham <timograham@…>, 6 years ago

Resolution: fixed
Status: assignedclosed

In 9a56b4b1:

Fixed #27863 -- Added support for the SameSite cookie flag.

Thanks Alex Gaynor for contributing to the patch.

Note: See TracTickets for help on using tickets.
Back to Top